AMENDMENTS TO THE CLAIMS 
Please cancel claims 6, 14, and 21 and amend claims 1-2, 5, 7, 9-10, 15-17, and 22-24 as 
follows: 

1. (Currently Amended) A network security system comprising: 

a first distributed software agent to collect a first stream of alerts from a first network 
security device having a first clock, each alert in the first stream representing an 
event detected by the first network security device and including a time of 
detection by the first network security device according to the first clock; 

a second distributed software agent to collect a second stream of alerts from a second 
network security device having a second clock, each alert in the second stream 
representing an event detected by the second network security device and 
including a time of detection by the second network security device according to 
the second clock; and 

a manager module in communication with the distributed software agents to: 
receive the first and second stream of alerts[[,]]; 

identify a common event represented by a first alert in the first stream from the 
first network security device and by a second alert in the second stream 
from the second network security device , wherein the first alert includes 
an Internet Protocol (IP) address, and wherein the second alert includes 
the IP address; 

determine, based on the first alert and the second alert, whether the first clock and 
the second clock are synchronized; and 
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if the first clock and the second clock are not synchronized, synchronize the first 



clock and the second clock using the 



2. (Currently Amended) The network security system of claim 1, wherein the manager module 
synchronizes the first clock and the second clock by determining a synchronization error using 



3. (Original) The network security system of claim 1, wherein the manager module synchronizes 
the first clock and the second clock by selecting one of the first and second clocks as a reference 
clock, and adjusting the other clock to the reference clock. 

4. (Original) The network security system of claim 3, wherein selecting one of the first and 
second clocks comprises determining a relationship of the first and second clocks to a system- 
wide reference clock. 

5. (Currently Amended) The network security system of claim 1, wherein the manager module 
synchronizes the first clock and the second clock by adjusting a time offset associated with the 
first clock that is stored by the manager module . 

6. (Cancelled) 



the time of detection of the 



event included in the first alert and the time of detection ef- 




included in the second alert, and correcting the synchronization error. 
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7. (Currently Amended) The network security system of claim 1, 
identifies a common event by determining that the second alert m 
the first alert. 



wherein the^ 
i corroborativ 



Lanager module 
-of corroborates 



8. (Original) The network security system of claim 1, wherein the first network security device 
comprises an Intrusion Detection System (IDS). 

9. (Currently Amended) A method performed by a network security system, the method 
comprising: 

receiving a first stream of alerts from a first network security device having a first clock, 
each alert in the first stream representing an event detected by the first network 
security device and including a time of detection by the first network security 
device according to the first clock; 

receiving a second stream of alerts from a second network security device having a 

second clock, each alert in the second stream representing an event detected by 
the second network security device and including a time of detection by the 
second network security device according to the second clock; 

identifying a common event represented by a first alert in the first stream from the first 
network security device and by a second alert in the second stream from the 
second network security device , wherein the first alert includes an Internet 
Protocol (IP) address, and wherein the second alert includes the IP address ; 

determining, based on the first alert and the second alert, whether the first clock and the 
second clock are synchronized; and 
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if the first clock and the second clock are not synchronized, synchronizing the first clock 
and the second clock using the common event . 



10. (Currently Amended) The method of claim 9, wherein synchronizing the first clock and the 
second clock comprises determining a synchronization error using the time of detection of the 
common event included in the first alert and the time of detection of the common event included 
in the second alert, and correcting the synchronization error. 

11. (Original) The method of claim 9, wherein synchronizing the first clock and the second clock 
comprises selecting one of the first and second clocks as a reference clock, and adjusting the 
other clock to the reference clock. 

12. (Original) The method of claim 11, wherein selecting one of the first and second clocks 
comprises determining a relationship of the first and second clocks to a system-wide reference 
clock. 

13. (Original) The method of claim 9, wherein synchronizing the first clock and the second clock 
comprises adjusting a time offset associated with the first clock. 

14. (Cancelled) 

15. (Currently Amended) The method of claim 9, wherein identifying a common event 
comprises determining that the second alert is corroborative of corroborates the first alert. 
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16. (Currently Amended) A machine readable medium storing a set of instructions that, when 
executed by the machine, cause the machine to: 

receive a first stream of alerts from a first network security device having a first clock, 
each alert in the first stream representing an event detected by the first network 
security device and including a time of detection by the first network security 
device according to the first clock; 

receive a second stream of alerts from a second network security device having a second 
clock, each alert in the second stream representing an event detected by the 
second network security device and including a time of detection by the second 
network security device according to the second clock; 

identify a common ovont roprosontod by a first alert in the first stream from the first 
n e twork s e curity device and by a second alert in the second stream from th e 
second network security device wherein the first alert includes an Internet 
Protocol (IP) address, and wherein the second alert includes the IP address ; 

determine, based on the first alert and the second alert, whether the first clock and the 
second clock are synchronized; and 

if the first clock and the second clock are not synchronized, synchronize the first clock 
and the second clock using the common event . 

17. (Currently Amended) The machine readable medium of claim 16, wherein synchronizing the 
first clock and the second clock comprises determining a synchronization error using the time of 
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detection of the common event included in the first alert and the time of detection of the 
event included in the second alert, and correcting the synchronization error. 



18. (Original) The machine readable medium of claim 16, wherein synchronizing the first clock 
and the second clock comprises selecting one of the first and second clocks as a reference clock, 
and adjusting the other clock to the reference clock. 

19. (Original) The machine readable medium of claim 18, wherein selecting one of the first and 
second clocks comprises determining a relationship of the first and second clocks to a system- 
wide reference clock. 

20. (Original) The machine readable medium of claim 16, wherein synchronizing the first clock 
and the second clock comprises adjusting a time offset associated with the first clock. 

21. (Cancelled) 

22. (Currently Amended) The machine readable medium of claim 16, wherein identifying a 
common event comprises determining that the second alert is corroborative of corroborates the 
first alert. 

23. (Currently Amended) A network security system comprising: 
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a plurality of distributed software agents to each collect alerts from a plurality of 

corresponding network security devices , each network security device having a 
clock ; and 

a manager module in communication with the distributed software agents to; 
receive the alerts[[,]]; 

identify a common event represented by alerts from a subset of the plurality of 
network security devices, wherein all of the identified alerts include a 
particular Internet Protocol (IP) address; 

determine, based on the identified alerts, whether the clocks of the subset of the 
plurality of network security devices are synchronized; and 

if the clocks of the subset of the plurality of network security devices are not 
synchronized, synchronize the clocks of the subset of the plurality of 
network security devices using the common event . 

24. (Currently Amended) The network security system of claim 23, wherein the manager module 
synchronizes the clocks of the subset of the plurality of network security devices by adjusting 
timestamps in each alert received from the subset of the plurality of network security devices. 
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